Re: Re: SSH host key rotation – known_hosts file not updated

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Oct 14, 2024 at 5:33 AM Jan Eden via openssh-unix-dev
<openssh-unix-dev@xxxxxxxxxxx> wrote:
redacted hostname and port – sorry, should have mentioned that.
>
> > Anyway, in answer to your question. The "host key found matching a different
> > name/address" is triggered when a key received from the server in an update
> > already exists under a different name. If you turn the debugging level up,
> > then you'll see the name(s) that it matches too:
> >
> >   2100          if (sshkey_equal(l->key, ctx->keys[i])) {
> >   2101                  ctx->other_name_seen = 1;
> >   2102                  debug3_f("found %s key under different "
> >   2103                      "name/addr at %s:%ld",
> >   2104                      sshkey_ssh_name(ctx->keys[i]),
> >   2105                      l->path, l->linenum);
> >   2106                  return 0;
> >   2107          }
> >   2108  }
>
> Thank you! Increasing the verbosity revealed a known_hosts entry linked
> to serverA's IP address (I had forgotten that I had connected to it by
> IP address at some point). Deleting this entry solved the problem; the
> new host key was stored in known_hosts when I connected to serverA
> again.
>
> - Jan

And... *THIS* is why so many people disable known_hosts entirely. The
chance of an IP address being reused for a distinct hostname is pretty
high in a DHCP environment without reservations, coupled with dynamic
DNS. It's also very common when servers get rebuilt from images and
fresh hostkeys generated automatically on the same hardware, even with
the same IP address. The popular solution is to simply disable
known_hosts in your ~/.ssh/config as needed:

    # Disable known_hosts to avoid IP re-use conflicts
    Host *
         UserKnownHostsFile /dev/null
          StrictHostKeyChecking no
          LogLevel ERROR
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux